Trust Assessment
GSTD A2A Network received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 4 critical, 2 high, 14 medium, and 0 low severity. Key findings include Arbitrary command execution, Suspicious import: requests, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/gstdcoin/a2a/python-sdk/gstd_a2a/sandbox.py:26 | |
| CRITICAL | Agent Private Mnemonic Exposed via Tool The `get_agent_identity()` tool returns the agent's private mnemonic. If an attacker gains control of the LLM (e.g., via prompt injection), they can call this tool to exfiltrate the agent's full cryptographic identity, including the mnemonic. This would allow the attacker to drain all funds associated with the agent's wallet and impersonate the agent. Remove the exposure of the private mnemonic from `get_agent_identity()`. This tool should only return public information like the wallet address. The agent's mnemonic should be treated as a highly sensitive secret and never exposed externally. | LLM | main.py:30 | |
| CRITICAL | Unrestricted Blockchain Transaction Signing The `sign_transfer()` tool allows the agent to cryptographically sign arbitrary blockchain transfer transactions with a user-controlled `to_address`, `amount_ton`, and `payload`. An attacker who can manipulate the LLM's tool calls could instruct the agent to sign transactions that transfer its funds to an attacker-controlled address, leading to complete financial compromise. Implement strict guardrails and human-in-the-loop confirmation for any financial transactions, especially those involving transfers of funds. The LLM should not have unconstrained access to this tool. Consider whitelisting recipient addresses, setting spending limits, or requiring explicit user approval for transactions. | LLM | main.py:90 | |
| CRITICAL | Physical Actuation via Outsourced Computation The `outsource_computation()` tool allows the agent to create tasks for other agents, including tasks of type `openclaw-control`. The `examples/openclaw_bridge.py` demonstrates that such tasks can lead to physical actuation of hardware based on user-controlled `command` and `parameters`. An attacker could exploit this by instructing the LLM to create a malicious `openclaw-control` task, potentially causing physical damage or unauthorized actions if an OpenClaw device is connected and processing tasks. Implement strict validation and whitelisting for `task_type` and `input_data` when called by the LLM. Explicitly restrict or require human confirmation for `openclaw-control` tasks. Ensure that any physical actuation commands are thoroughly sanitized and validated against a predefined safe set of operations. | LLM | main.py:97 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run_safe'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/gstdcoin/a2a/python-sdk/gstd_a2a/sandbox.py:26 | |
| HIGH | Unsanitized Content Stored in Global Hive Memory The `memorize()` tool allows the agent to store arbitrary `content` in the 'global grid' (Hive Memory). The `gstd_client.py::store_knowledge()` function, which is called by `memorize()`, does not apply any sanitization (like `SovereignSecurity.sanitize_payload()`) to the `content` before storing it. This creates a vector for prompt injection against other agents who might later `recall()` this unsanitized content. Malicious instructions or data could be injected into the shared memory, potentially manipulating other agents' behavior. Apply robust content sanitization and validation (e.g., `SovereignSecurity.sanitize_payload()`) to the `content` parameter before storing it in Hive Memory. Implement content moderation or reputation systems for stored knowledge to prevent the propagation of malicious instructions. | LLM | main.py:139 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/gstdcoin/a2a/python-sdk/gstd_a2a/gstd_client.py:1 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/gstdcoin/a2a/python-sdk/gstd_a2a/gstd_wallet.py:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/gstdcoin/a2a/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'mcp' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/gstdcoin/a2a/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pydantic' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/gstdcoin/a2a/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'tonsdk' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/gstdcoin/a2a/requirements.txt:4 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pynacl' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/gstdcoin/a2a/requirements.txt:5 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/gstdcoin/a2a/starter-kit/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pydantic' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/gstdcoin/a2a/starter-kit/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'tonsdk' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/gstdcoin/a2a/starter-kit/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pynacl' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/gstdcoin/a2a/starter-kit/requirements.txt:4 | |
| MEDIUM | Unpinned Dependencies in Requirements The `requirements.txt` and `setup.py` files specify dependencies without pinning them to specific versions (e.g., `requests` instead of `requests==2.28.1`). This introduces a supply chain risk, as a new, potentially vulnerable version of a dependency could be installed automatically, introducing security flaws or breaking changes without explicit review. Pin all dependencies to exact versions (e.g., `requests==2.28.1`). Regularly review and update dependencies to ensure security patches are applied, but do so in a controlled manner after testing. | LLM | requirements.txt:1 | |
| MEDIUM | Task Protocol Validation Bypass for Unknown Types The `validate_task_payload()` function in `python-sdk/gstd_a2a/protocols.py` explicitly returns `True` if a `task_type` is not found in the `TASK_SCHEMAS` registry. This means that if an attacker specifies an unknown `task_type` when calling `create_task()` (via `outsource_computation`), the `data_payload` will bypass schema-based validation. While `SovereignSecurity.sanitize_payload()` is still applied, this bypass reduces the overall security posture and could allow more complex prompt injections or malformed data to pass through. Change `validate_task_payload()` to return `False` or raise an error for unknown `task_type`s. All task types should have a defined schema for robust security. Alternatively, implement a default, highly restrictive schema for unknown types. | LLM | python-sdk/gstd_a2a/protocols.py:60 | |
| MEDIUM | Arbitrary Message Signing with Agent's Private Key The `gstd_wallet.py::sign_message()` function allows signing arbitrary string messages using the agent's private key. This function is used by `gstd_client.py::submit_result()` where the message signed is a concatenation of `task_id` and `result_json`. If `result_data` (which forms `result_json`) can be controlled by an attacker (e.g., a malicious worker agent returning a crafted result), the agent could be tricked into signing a malicious message. This signed message could then be used for unauthorized actions or to impersonate the agent in other contexts. Ensure that any input passed to `sign_message` is thoroughly sanitized and validated, especially if it originates from untrusted sources (like task results from other agents or LLM-generated content). Apply `SovereignSecurity.sanitize_payload()` or similar validation to `result_data` before it is used to construct the message to be signed. | LLM | python-sdk/gstd_a2a/gstd_wallet.py:100 |
Scan History
Embed Code
[](https://skillshield.io/report/92570f67b288eff5)
Powered by SkillShield